The Information Commissioner’s Office (“ICO”) has announced that it has fined TikTok £12.7 million for illegally processing children's personal data. It is one of the largest fines the ICO has issued to date.
Background
We previously reported that in September 2020 the ICO was considering fining TikTok Inc and TikTok Information Technologies UK Limited ("TikTok") £27 million for potentially breaching data protection law by processing the data of children under the age of 13 without parental consent. After publishing a notice of intent in relation to that fine, the ICO considered TikTok’s representations and decided not to pursue its original findings in relation to unlawful use of special category data (and so this is not included in the £12.7m fine).
The ICO fine
The social media platform was found to have breached data protection laws by collecting data on its younger users without obtaining parental consent. The company also failed to provide adequate privacy controls and did not take sufficient measures to protect children's data.
The investigation was launched following concerns raised by a coalition of children's rights groups in 2019. The groups accused TikTok of failing to comply with data protection laws and putting children at risk. The ICO also found that TikTok allowed 1.4 million UK children under 13 to use its platform in 2020, even though it sets 13 as the minimum age to create an account.
The ICO found that TikTok had been collecting data on users' age, location, and other personal information without their consent. This information was then used to target children with personalised advertisements.
A TikTok spokesperson has made the following comments on the decision:
“Our 40,000-strong safety team works around the clock to help keep the platform safe for our community
.”
“While we disagree with the ICO’s decision, which relates to May 2018 – July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.”
Comment
The fine imposed on TikTok follows the publication of the Children’s Code. The code is made up of a set of 15 standards that businesses (such as apps, gaming platforms and web and social media sites) who may have users under the age of 13 should consider to ensure compliance with data protection laws.
The publication of the code and the TikTok fine are unsurprising developments that naturally flow from the recent shift in policy by the Government to bolster regulation of online spaces. It is clear that the Government is taking a robust approach as it looks to also implement the Online Safety Bill later this year to tackle these types of issues.
In the context of an increasingly higher level of scrutiny, businesses should therefore be mindful of their data protection obligations, especially if they provide services that are or are likely to be used by children under the age of 13. If they are found to be acting unlawfully, an investigation by the ICO could lead to potentially onerous fines (£17.5 million or 4% of annual global turnover under UK GDPR) as well as reputational damage (in this case bans on the use of the platform on government devices). The ICO is considering what ‘likely to be accessed’ captures in the context of the Children’s Code with further detail expected as a result of an ICO consultation on draft guidance on this issue.
If you have any questions or would otherwise like to discuss any issues raised in this article, please contact Lucy Pegler, David Varney or a member of the Data Protection Team.
This article was written by Will Flaim.